How customer information is collected, used, disclosed, and protected.

EvidenceAtlas collects information directly from you, automatically through normal product operation, and from the billing or hosting providers that help run the service.

• Account information such as email address, password-authentication state, and optional display name.
• Workspace data you create inside the product, including projects, sources, evidence cards, tags, export settings, and billing-related workspace identifiers.
• Billing and subscription information needed to operate Stripe-based checkout and customer portal flows, such as trusted Stripe customer and subscription identifiers, billing email when available, and mirrored subscription status.
• Technical and usage information needed to operate the site, including authentication cookies, active-workspace continuity cookies, local-storage preferences, server logs, and optional public-site analytics or performance measurements after consent.

• Provide account access, workspace continuity, billing enforcement, exports, and other core product functions.
• Process subscription checkout, billing management, and webhook-based synchronization of trusted workspace billing state.
• Maintain app security, diagnose operational issues, prevent misuse, and improve product reliability.
• Measure public-site usage and performance only where the current cookie/analytics settings allow it.

EvidenceAtlas does not sell customer information. Information is disclosed only to the service providers and third parties required to deliver the app, process billing, measure the public site where consent applies, or comply with legal obligations.

• Supabase, which provides authentication, database, and session infrastructure for account and workspace data.
• Stripe, which processes billing, checkout, customer portal sessions, and subscription events.
• Vercel, which hosts the app and can process infrastructure logs, plus optional Web Analytics and Speed Insights on the public site after consent.
• Professional advisers, regulators, or law-enforcement authorities when disclosure is legally required or reasonably necessary to protect rights, security, or the service.

Disclosures happen through authenticated application workflows, secure API calls, encrypted network requests, controlled processor dashboards, and limited operational review when support or legal compliance requires it.

For example, checkout and customer-portal requests send billing context to Stripe, authentication and product data are processed through Supabase infrastructure, and optional public-site analytics events are sent to Vercel only after a visitor allows that category of processing.

• HTTPS/TLS is used for traffic between browsers, the app, and third-party processors.
• Authentication and primary product data are stored behind Supabase Auth, database access controls, and row-level security policies.
• Sensitive billing actions and billing-truth writes are server-managed; client-side redirects do not activate entitlements by themselves.
• Secrets such as Stripe secret keys, webhook signing secrets, and service-role credentials are intended to remain server-only.
• Access is limited to the systems and providers needed to run the service, and support requests are handled through controlled operational channels.

You can update profile information, email address, password, and appearance preferences from account settings. Cookie and analytics choices for the public site are described on the Cookies page.

Product data is retained for as long as the account or workspace remains active, unless deletion or legal retention obligations require a different outcome. Billing mirrors and operational logs may be retained for fraud prevention, reconciliation, and support review.

Privacy questions can be sent to security@evidenceatlas.io